DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

likeUser Has No Un-Like or Cooling-Off Mechanism – Mistaken Likes Are Permanent

bamgboseoluwole83

Root + Impact

Description

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentences

/# likeUser Has No Un-Like or Cooling-Off Mechanism – Mistaken Likes Are Permanent

## Summary

Once a user calls `likeUser`, the `likes[msg.sender][liked]` mapping is set to true permanently. There is no function to undo a like, cancel a pending match, or implement a cooling-off period. A user who accidentally likes the wrong address cannot correct their mistake.

## Vulnerability Details

**Impact:** Low

**Likelihood:** High

User error results in permanently lost ETH with no recovery. A mistyped address locks funds forever.

### Proof of Concept

The test below highlights the absolute finality of an accidental transaction. Once the `likeUser` function executes with an unintended address destination, there are no state transitions or emergency recovery functions available to toggle the mapping back to false or claim a refund.

```solidity

function test_PermanentLikeNoUndo() public {

vm.prank(alice);

profileNFT.mintProfile("Alice", 25, "imageHash");

// Alice accidentally likes the wrong address

vm.prank(alice);

likeRegistry.likeUser{value: 1 ether}(wrongAddress);

// No way to undo — like is permanent

assertTrue(likeRegistry.likes(alice, wrongAddress));

}

```

## Tools Used

Manual Review, Foundry

## Recommendations

Add an `unlikeUser` function that allows users to retract a pending like within a set time window, or before the other user has liked them back.

```solidity

function unlikeUser(address liked) external {

require(likes[msg.sender][liked], "Not liked");

require(!likes[liked][msg.sender], "Already matched — cannot undo");

delete likes[msg.sender][liked];

uint256 refund = 1 ether; // Refund the required minimum

userBalances[msg.sender] -= refund;

payable(msg.sender).transfer(refund);

}

```

/ Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2

Impact:

Impact 1
Impact 2

Proof of Concept

Recommended Mitigation

- remove this code

+ add this code

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!